Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

Transcription

1 Appendix 10 IT Security Implementation Guide For Information Management and Communication Support (IMCS)

2 10.1 Security Awareness Training As defined in NPR A, all contractor personnel with access to Government data, including off-site personnel supporting the contract shall complete security training annually as required to meet Agency IT security training and awareness requirements. The Contractor shall use the Government provided training systems to meet this annual security requirement Security Training All contractor individuals who perform tasks as a system administrator, or have authority to perform tasks normally performed by system administrator, shall be required to demonstrate knowledge appropriate to those tasks. This demonstration is referred to as the NASA System Administrator Security Certification using the Agency provided tools System and Application Life Cycle Requirements The contractor shall comply with NPR A, Chapter 5, System Development Life Cycle (SDLC), requirements during all phases of the Systems and Applications Life Cycle Security Risk Assessments and Design Reviews The contractor shall follow the NIST SP , Security Self-Assessment Guide for Information Technology Systems; NIST SP , Risk Management Guide for Information Technology Systems; and submit a completed security risk assessment on a design prior to the design being provided to NASA. Before or during official design reviews, the contractor shall provide design security risks, including possible s, to the system owner or data owner and OCSO. If the risks are accepted the life cycle may continue; otherwise, the life cycle shall halt or the design and/or s shall be modified until the risks and possible s are acceptable Security Reviews for New or Modified Hardware, Software, and Configurations The contractor shall provide a written risk assessment and security review for new or significantly modified hardware, software, or configurations, prior to deployment. The products reviewed shall be used as a basis to update IT Security Plans, as applicable. Prior to deployment, all risks shall be presented to the system owner, AO, and OCSO, separate from the security plan. If the hardware or software connects to other systems the risks shall be presented to the system owner or equivalents and OCSO of the interconnected systems for their information. Page 10-1 of 10-8

3 10.6 Minimum System Security Requirements Prior to connecting any new non-government provided computer system or equipment to the KSC Institutional Networks, the contractor shall: a. Comply FIPS PUB 199, FIPS PUB 200, and any relevant IT SOPs on certification and accreditation. b. Acknowledge all applicable NIST-SP controls. c. Complete the Privacy Impact Analysis (PIA). d. Comply with NPR A, IT Security Requirements. e. Install and configure Agency Security Update System (ASUS) or approved Agency Patching and Reporting System to Center specifications. f. Install and configure Agency Security Configuration Standards (ASCS) to Agency and Center specifications. g. Provide a NASA approved Certified System Administrator. h. Perform a vulnerability scan, mitigate findings, and document results. i. Provide NIST SP control acceptance and Plan of Action & Milestones (POA&M) list to be reviewed by the Center s Certification and Accreditation (C&A) Official. j. Draft Authorizing Official (AO) letter per NASA Authority to Operate (ATO) process. k. Submit the complete package of items a-j above to the Center ITSM for review. l. Upon completion of Center ITSM review, submit ATO package to the AO System Configuration Requirements For any computer system that is not managed by ODIN or its successor, the contractor shall: a. Meet the current and future requirements in the NASA-STD-2804, Minimum Interoperability Software Suite, and NASA-STD-2805, Minimum Hardware Configurations, for all computer systems, unless otherwise approved by the COTR. b. Configure non-nasa managed services desktop systems with the required standard application software suite, if applicable, to stay consistent across the Agency to Page 10-2 of 10-8

4 ensure that interoperability issues do not arise. The Government has defined a core standard application software suite that is loaded on all NASA managed services computers. c. Provide and maintain software that is defined in the current and future versions of NASA-STD d. Update the computer with new software versions, upgrades, modifications, and nonsecurity and non-bug related patches associated with the operation system and application software within 1 year of the latest release by the software vendor or by the date specified in the current and future versions of NASA-STD e. Once the contractor has tested the new release, present the test results and any impacts to associated applications then submit to the CCB in sufficient time to ensure roll out within 1 year of release or by the date specified in NASA-STD- 2804, unless otherwise specified by the COTR or designee. f. Configure regular virus scans on all computer systems which the contractor is responsible. g. Enable real-time file protection and schedule full virus scans no less frequently than weekly, unless otherwise defined in Center policies or directed by the COTR or designee. h. Configure automatic updates of virus signatures no less frequently than daily for desktops, unless otherwise defined in Center policies or directed by the COTR or designee. i. Configure, in addition to NASA-STD-2804, regular adware, spyware, and malware scans on all systems for which they are responsible, but not including servers. The contractor shall enable real-time system protection and schedule full adware and spyware scans no less frequently than weekly for any desktops, unless otherwise defined in Center policies Management and Operations Vulnerability Assessment and Remediation The contractor shall provide management control services to implement IT security at KSC. In performance of these services, the contractor shall: a. Participate in the Center-wide vulnerability scanning activity. The contractor shall mitigate vulnerabilities identified, track vulnerabilities and fixes, and report the statistics to the system owner, OCSO, and COTR or designee. Page 10-3 of 10-8

5 b. Obtain approval from the system owner, OCSO, and COTR for a temporary. For a medium or low vulnerability, the contractor may mitigate the vulnerability or present a researched recommendation that justifies accepting the risk. c. Evaluate, test, and implement of these services; depending on the assessed (critical, high, medium, or low) of a vulnerability, obtain system owner, OCSO, and COTR with the. d. Comply with the standard and expedited requirements in the Vulnerability Mitigation Requirements Table below. e. Notify the system owner, OCSO, and COTR when the vulnerability is mitigated and steps taken to mitigate the vulnerability. f. Obtain approval by the system owner, OCSO, and COTR for any deviation from the requirements. g. Submit a statistics report on a monthly basis for all vulnerabilities mitigated with their associated. A permanent is required for a critical or a high vulnerability; though in some cases a temporary may be necessary. Page 10-4 of 10-8

6 For High Categorization Systems: STANDARD 4 Hours 2 working 30 working EXPEDITED 2 hours 8 hours 8 working hours 2 working For Moderate Categorization Systems: STANDARD 1 working 1 30 working 30 working 40 working Page 10-5 of 10-8

7 For Moderate Categorization Systems: EXPEDITED 4 working hours 2 working 16 working hours For Low Categorization Systems: STANDARD 40 working 30 working 60 working EXPEDITED 1 working day 3 working Page 10-6 of 10-8

8 System Contingency Planning and Emergency Preparedness In addition to what is stated in NPR A, the contractor shall participate in contingency and Disaster Recovery (DR) planning, training, and testing in accordance with the current Center Contingency Plan, COOP, and system DR plan. In performance of these services, the contractor shall: a. At least annually train contingency teams in plan procedures and operations. b. At least annually develop, plan, and implement a contingency scenario test designed to validate the effectiveness of the assigned plan(s) to quickly restore IT operations and functionality in the event of a disaster. c. Deliver a lessons learned report from each test and use the results to update the IT Contingency Plan. d. Participate in Center DR operations, in the event the Center s plan is invoked, in accordance with the Center Contingency and DR Plan. System Monitoring In performance of these services, the contractor shall: a. Ensure equipment or device logging is enabled, review logs, and report anomalies to the KSC OCSO. b. Retain electronic archival copies of all logs and retain for one year with the exception of activity logs that shall be retained for three years. c. Perform all necessary support in the event of a Government-initiated investigation, Assessment, or Certification involving the contractor s team or the contractor s customers. d. Perform all services necessary to properly respond to NASA IT security bulletins or notices from the NASA Incident Response Center (NASIRC), or the NASA CIO that apply to any contractor-supported system or environment. e. Take necessary and/or immediate corrective actions on any system in response to these bulletins and notices, and notify the system owner, COTR, and OCSO of any suspicious activities per Center security procedures IT Security Reporting Requirements The contractor shall comply with reporting requirements set by the Federal Information Security Management Act (FISMA), the Office of Management and Budget (OMB), the Page 10-7 of 10-8

9 Office of the Inspector General (OIG), and the Center and Agency CIO as baseline and agreed to at the start of the contract period of performance. In performance of these services, the contractor shall: a. Report IT security incidents to the ITSM or designee(s) within one hour and shall follow the Center s documented IT security incident response procedures. b. Report using the format and content set forth in each Center s incident response report (Institutional Security Status). c. Report unexplained system anomalies that, in the judgment of the system administrator, may affect confidentiality of data or integrity of a system/data to the ITSM or designee within one hour. Such anomalies include, but are not limited to, unexplained change of directory or file permissions, unexplained installation, removal or starting/stopping of software, unexplained network traffic, unexplained unavailability of a production service, or any malicious activity. d. Provide all necessary assistance to the investigating team Distribution of Risks, Threats and Vulnerabilities The contractor shall encrypt all electronic transmissions and storage of sensitive but unclassified (SBU) information with the Agency approved encryption software and solutions Storage of System Documentation and Backup Media The contractor shall store duplicate copies of system documentation with the backup media, including updates at an off-site location secure from threats, in accordance the approved security plan Prohibition of Government Data The contractor shall not store, copy, or transfer NASA SBU data to any non-c&a system, in accordance with NPR A or for non-nasa system in accordance with NIST The contractor shall comply with OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, OMB Memorandum M-06-16, Protection of Sensitive Agency Information, and OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. Page 10-8 of 10-8